I want to route all traffic from the em0 network to the internet, and allow SSH connections from em0 to sshd on the OpenBSD box. All other ports should be closed.

My pf.conf looks like this:

block in
pass out on egress from em0:network to any nat-to (egress)
pass in on em0 proto tcp to self port 22

... But with these rules, I can't get to the internet from em0. If I change the last rule in pf.conf to:

pass in on em0

...then it works fine. I don't know much about pf (I'm more of an iptables person), but it looks like I need to actually open the ports I want to route. I don't want to open all ports on em0 - I only want port 22 to be open.